Abstract

We have been talking about security in the Graphics Stack for some time. Wayland has fixed all the
problems we had … but at the expense of usability and accessibility as applications are now unable
to perform any sensitive task such as taking screenshots or injecting input events. Indeed, some
applications (especially the ones related to accessibility) really DO require privileged capabilities
and should work across the different Wayland compositors. Before designing privileged interfaces, it
was thus necessary to think about how to handle privileged clients securely. The biggest issue with
handling privileged clients is not how to grant them the rights, it is about making sure that the
user understands what is going on on his/her system. This sometimes require to capture the user’s
intent somewhere in the TCB (Trusted Code Base), often in the compositor.

In February, we proposed a way to handle privileged clients. We first started by listing different
ways of capturing the user’s intent in the Wayland compositor. We then talked about how to expose the
current security threats and vulnerabilities to user by adding an icon to the systray allowing the user
both to see the security properties that may become violated and by which programs. The user could then
revoke the rights away from an application for the current instance or any further instance.

We also proposed a way to delegate security decisions within the compositor to a centralized security
decision engine such as SELinux, AppArmor or polkit. This would allow distro developers to ship
applications with their security policy for the system and the graphical environment. We called this
proposition Wayland Security Module (WSM) because they resemble the Linux Security Module interface
found in the Linux kernel. An android-like system could thus be implemented where the package manager
displays the capabilities required by the application and the user would select the permission he/she
gives to the application. The same policy could be shared across all the Desktop Environments thanks
to the common WSM interface that would need to be used by all the wayland compositors. Work on the WSM
is currently on its way.

This leads us to another GUI-related problem of applications, they need to be able to access files
only when the user wants it to. Capturing the user’s intent when it comes to giving permission to an
application to open a file requires to delegate the file chooser to an external process. Doing so has
several challenges that we will talk about before showing our proposition and show you our
interface (both from the code and the GUI perspective).

Currently, any application can pretend to be your DE’s window that asks for credentials. This inspired
us to look into the different of authorization and authentication UIs on major OSes and their problems.
We finally proposed several ways of making your DE’s authentication window be unspoofable by making it
trivial for a user to check its legitimacy.